Newswise — Telecommuting has freed many to work far from the confines of the office via laptop, but the price of working while sipping a latte at that sunny café is the danger that a public network will not keep the data that passes through it safe. Now, to combat the risk inherent in remote access, the National Institute of Standards and Technology (NIST) has updated its guide on maintaining data security while teleworking.
The revised guide offers advice for protecting the wide variety of private and mobile devices from threats that have appeared since the first edition appeared in August 2002. Together with the preponderance of dangerous malware on the Web, the vulnerability of wireless transmissions from mobile devices has created dramatic new security challenges.
“In terms of remote access security, everything has changed in the last few years. Many Web sites plant malware and spyware onto computers, and most networks used for remote access contain threats but aren’t secured against them,” says Karen Scarfone of NIST’s Computer Security Division. “However, even if teleworkers are using unsecured networks, the guide shows the steps organizations can take to protect their data.”
Among these steps is the recommendation that an organization’s remote access servers—the computers that allow outside hosts to gain access to internal data—be located and configured in ways that protect the organization. Another is to ensure that all mobile and home-based devices used for telework be configured with security measures so that exchanged data will maintain its confidentiality and integrity. Above all, Scarfone says, an organization’s policy should be to expect trouble and plan for it.
“You should assume external environments contain hostile threats,” she says. “This is a real philosophy shift from several years ago, when the attitude was essentially that you could trust the home networks and public networks used for telework.”
The new guide provides recommendations for organizations. A companion publication* offers advice for individual users on securing their own mobile devices.
While intended primarily for U.S. federal government agencies, the guide has been written in broad language in order to be helpful to any group that engages in telework. Formally titled Special Publication 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security, it is available at the NIST Computer Security Resource Center’s draft publication Web site: http://csrc.nist.gov/publications/PubsDrafts.html.
* SP 800-114, User’s Guide to Securing External Devices for Telework and Remote Access, http://csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf.
The National Institute of Standards and Technology (part of the U.S. Department of Commerce) actually has 2 guides that are great resources for anyone wishing to ensure their data is as secure as possible.
Both of these guides are in PDF format – and they are meant to supplement each other:
This document is intended to assist those responsible – users, system administrators, and management – for telecommuting security, by providing introductory information about broadband communication security and policy, security of home office systems, and considerations for system administrators in the central office. It addresses concepts relating to the selection, deployment, and management of broadband communications for a telecommuting user. This document is not intended to provide a mandatory framework for telecommuting or home office broadband communication environments, but rather to present suggested approaches to the topic.
This publication helps teleworkers secure the external devices they use for telework, such as personally owned and third-party privately owned desktop and laptop computers and consumer devices (e.g., cell phones, personal digital assistants [PDA]). The document focuses specifically on security for telework involving remote access to organizations’ nonpublic computing resources. It provides practical, real-world recommendations for securing telework computers’ operating systems (OS) and applications, as well as home networks that the computers use. It presents basic recommendations for securing consumer devices used for telework. The document also presents advice on protecting the information stored on telework computers and removable media. In addition, it provides tips on considering the security of a device owned by a third party before deciding whether it should be used for telework.